Configure and Test AMP File Policy via FDM

Available Languages

Download Options

  • PDF     (594.8 KB)
    View with Adobe Reader on a variety of devices
Updated:July 23, 2024
Document ID:222189

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure and test an Advanced Malware Protection (AMP) file policy via Firepower Device Manager (FDM).

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Firepower Device Manager (FDM)
    • Firepower Threat Defense (FTD)

    Components Used

    • Cisco virtual FTD version 7.0 managed via FDM
    • Evaluation License (Evaluation license is used for demonstration purposes. Cisco recommendation is to acquire and utilize a valid license)

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Instructions

    Licensing

    1. In order to enable the malware license, navigate to the DEVICE page on the FDM GUI.

    FDM Device TabFDM Device Tab

    2. Locate the box labeled Smart License and click View Configuration.

    FDM Device PageFDM Device Page

    3. Enable the license labeled Malware.

    Malware LicenseMalware License

    Configuration

    1. Navigate to the POLICIES page on the FDM.

    FDM Policies TabFDM Policies Tab

    2. Under Security Policies, navigate to the Access Control section.

    FDM Access Control TabFDM Access Control Tab

    3. Find or create an Access Rule to configure the File Policy. Click the Access Rule editor. For instructions on how to create an Access Rule, refer to the this link.

    FDM Access Control RuleFDM Access Control Rule

    4. Click the File Policy section on the Access Rule and select the preferred File Policy option from the dropdown. Click OK to save the changes to the rule.

    FDM Access Control Rule File Policy TabFDM Access Control Rule File Policy Tab

    5. Confirm the File Policy has been applied to the Access Rule by checking if the File Policy icon is enabled.

    File File Policy Icon EnabledFile Policy Icon Enabled

    6. Save and Deploy the changes to the managed device.

    Test

    To verify the configured file policy for malware protection is working, use these testing scenario attempts to download a malware test file from the web browser of an end host.

    As displayed in this screenshot, attempting to download a malware test file from the web browser is unsuccessful.

    Browser Download TestBrowser Download Test

    From the FTD CLI, system support trace shows the file download was blocked by file process. For instructions on how to run a system support trace via the FTD CLI, refer to this link.

    System Support Trace TestSystem Support Trace Test

    This confirms the file policy configuration was successful in blocking malware.

    Troubleshooting

    In case malware is not successfully blocked when using the previous configurations, refer to these troubleshooting suggestions:

    1. Verify malware license is not expired.

    2. Confirm access control rule is targeting correct traffic.

    3. Confirm selected file policy option is correct for targeted traffic and wanted malware protection.

    If issue is still not resolvable, contact Cisco TAC for additional support.

    Revision History

    Revision Publish Date Comments
    1.0
    23-Jul-2024
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Nathan Sloneker
      Security Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products